Medium severity5.3NVD Advisory· Published May 28, 2025· Updated Apr 15, 2026

CVE-2024-47057

Description

SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames.

User Enumeration via Timing Attack: A user enumeration vulnerability exists in the "Forget your password" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack.

MitigationPlease update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mautic/corePackagist	>= 1.0.0, < 4.4.16	4.4.16
mautic/corePackagist	>= 5.0.0-alpha, < 5.2.6	5.2.6
mautic/corePackagist	>= 6.0.0-alpha, < 6.0.2	6.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-424x-cxvh-wq9pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-47057ghsaADVISORY
github.com/mautic/mautic/security/advisories/GHSA-424x-cxvh-wq9pnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000